فا

‫ Security Considerations for Cloud Computing (Part 2)

IRCAR201304169
Date:2013-04-15
 
Introduction
In the first part in this series on private cloud security, we went over what makes up a private cloud. Many people think of private cloud as something that is little different from what they already have, and others might think that cloud is just a virtualized datacenter. Both of these assumptions are false, and we covered the reasons for that in the first part of this series.
As a quick recap, a cloud (private or public) must enable the following five essential characteristics in order to be considered a cloud:
On demand self service
Broad network access
Sharing of pooled resources
Rapid elasticity
Metered services
While a traditional datacenter might contain some of these characteristic, it’s unlikely that it will contain all of them. And if the datacenter does support all five of these, it’s likely that some of the capabilities are siloed and therefore the entire system doesn’t benefit from tight integration of all five of these essential characteristics that make up the cloud definition.
Now, what about security? Security in the private cloud looks a lot like security in the traditional datacenter. You still need to worry about network security, authentication, authorization and auditing, you need to be concerned about identity management, and you need to consider the security issues at every layer of the network and computing stack. There’s nothing magical or revolutionary about private cloud security. Nevertheless, there are a few things unique to the private cloud that should lead you to refocus your security priorities in particular areas.
One way to think about the security issues that are more specific for the private cloud is to think about the security effects of the five essentials characteristics that define a cloud computing solution. How should you think about security in a world of self-service computing? What about the security issues related to broad network access? And what about the security issues related to sharing of abstracted, pooled resources? This is the approach we’ll take toward private cloud security in today’s discussion.
How Does On-Demand Self-Service Impact Private Cloud Security?
On-demand self-service allows consumers of a private cloud solution to obtain the compute, network, memory and storage resources they desire, based on their ability to pay for these resources. In addition, if you deploy PaaS (Platform as a Service) or SaaS (Software as a Service) in your private cloud, then consumers of the cloud service can also obtain development platform and finished services. What are the effects of self-service and how do they impact security?
The first thing that comes to mind is the fact that you no longer are in complete control of the workloads in your datacenter, or even of the operating systems that are running within your datacenter. Unlike the days of the traditional datacenter, where you racked and stacked and installed the operating system and then installed the workload software, with private cloud on-demand self-service, the consumers of your cloud services will spin up new operating systems, create new applications, and run your finished services, depending on the service models you want to make available to your customers.
This creates a situation where you no longer have the deep insight that you once had into what’s running in your datacenter. In the past, you had hands-on experience with most of the components, and you configured your monitoring systems so that they were pointed at known systems that you and your team instantiated. With the private cloud, you are, for the most part, completely unaware of what your customers are doing with the resources you provide them in your private cloud infrastructure.
This means you need to be much more proactive about your monitoring, alerting and reporting capabilities. The cloud infrastructure will need to be able to inform you about how your customers are using the infrastructure and must be able to alert you when there is misuse or some other out of policy activity taking place. In addition, you need comprehensive reporting on a daily or even more frequent basis so that you can perform detailed trend analysis in order to prevent exhaustion of your pooled resources due to over commitment to your cloud service customers.
Monitoring, alerting and reporting tools are going to need to be updated and replaced to support an on-demand self-service private cloud infrastructure. Most of the tools that we use today are designed to work in a datacenter where IT has control over the hardware and software infrastructures, and work orders are created to request IT to enable whatever computing services are required. In the private cloud, the critical enabler of on-demand self-service is that there is no requirement for administrative interaction between the cloud service consumer and the cloud infrastructure administrators. Users just pick out what they need from your service catalog and away they go!
Other Security Considerations Related to On-Demand, Self-Service
While the monitoring, alerting, and reporting infrastructure is probably the most significant consideration when thinking about the on-demand self-service characteristics of the private cloud, there are a few other issues that you should consider. Some of these include:
·         How will you decide who has rights to consume cloud services?
·         Does your AAA (Authentication, Authorization and Accounting) and cloud infrastructure support the ability to scope rights to particular offerings in your service catalog or will everyone who has rights to obtain cloud services have the right to obtain anything in the service catalog?
·         Do you have a way to automate security responses to possible DoS (denial of service) situations where a consumer of cloud services attempts to oversubscribe the system?
·         Do you have a mechanism available to assure that self-service customers cannot “break out” of their customer role into a cloud administrator role?
·         Do you have a way to control the behaviors of the operating system and services that your self-service customers will install?
·         Do you have a way to identity self-service customers that might represent a potential threat, such as customers who are using stolen credentials?
These are just a few of the security issues that you need to consider when working in a new IT environment where your customers – not you – are driving the datacenter activity. Automation is going to be a critical enabler for you as you try to maintain control of a self-service environment. Automation will be used in your monitoring, alerting and reporting and automation will also need to be used to secure the workloads that run on the cloud infrastructure.
Summary
In this article, we introduced the idea of thinking about private cloud security within the context of each of the five essential characteristics that define a cloud-based solution. We began with the first essential characteristic, which is on-demand self-service. The primary security concern with on-demand self-service relates to the fact that IT is no longer in total control of which operating systems and workloads run in the datacenter. In the 3rd part of this series, we’ll take a look at how the “broad network access” essential characteristic of the private cloud influences your security design.
Related Links:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0